Partner, FireEye has released their most recent M-Trends report which looks at some of the significant trends and shifts of 2019, including the Hidden Phishing Risks During Mergers and Acquisitions. FireEye had previously discussed the risks of integrating a compromised organization into a parent organization back in their M-Trends 2012 report and this issue remains a large threat to organizations today. During a merger or acquisition, tight deadlines are in place to meet business objectives sometimes leading the organizations to integrate the computer networks without resolving security objectives – reducing the security of the combined company. In some cases, a single email account that has been attacked could be used to increase the attacker’s access to the entire network.

“We observed an increase in phishing attacks where a compromised email account was used to send phishing emails to additional users in the organization. This is particularly effective in M&A situations, since employees expect communication, sometimes unsolicited, between the organizations. Phishing emails sent within an organization are more likely to bypass checks by email gateways, which are often configured to inspect email entering or leaving an organization’s network. The natural development of relationships between individuals or organizations means the target is more likely to trust such content and enable macros, open attachments, and navigate to a URL using links .”

Attackers also accessed compromised email accounts to bypass multi-factor authentication, used services such as PowerShell, Exchange control Panel and Exchange Web Services to forward or redirect emails to maintain their access without being discovered, and changed the victims Outlook configuration to redirect the system to the attacker’s web page compromised with malware, allowing the attacker to stay inside the network.

“We expect unauthorized access to email, particularly during M&A, to remain a common source of attack for threat actors of varying intent and sophistication. We also expect that the TTPs will evolve with security tools and monitoring. Threat actors will continue to increase the effectiveness of subsequent stages of the targeted attack lifecycle (such as maintaining persistence or data exfiltration).”

So what can you do to protect yourself and your organization?

Organizations will
need to protect themselves by adapting their email defenses and monitor
attacker techniques. This will require the organization to implement the
appropriate email security solutions that are used to detect malicious links
and attachments.

In addition to email
security, FireEye made a few mitigation and detection strategy recommendations
for those organizations who are looking at the M&A process in the future:

Conduct a compromise assessment of the acquisition to attempt to identify any current or previous compromises.

Conduct a proactive review searching for evidence of potential attacker activity within the acquiring and acquired networks before integrating them.

Audit rights to identify accounts with access to other users’ email.

Disallow the automatic forwarding of email outside the organizations or regularly audit the forwarding rules on their organization’s mail servers to detect evidence of this technique.

As FireEye mentioned in their trend report, phishing tactics have remained a serious cybersecurity issue for years. Attackers are creating more innovative and convincing ways to take advantage of employees in your organization. To learn more about how you can protect yourself and your business from a phishing attack, check out our blog here:

FireEye is a valued sponsor of Camp Secure Sense 2019. Over the past five years, Camp Secure Sense has been the central hub for our community to get together and talk security. We take real world security problems, and provide the answers you’re looking for in a fun, educational focused environment.

Interested in attending? We’re raffling a CIO Suite to those that register before March 15th here.

Secure
Sense is the security provider that cares. We are a team of experts with a
passion for IT and protecting your organization is what motivates us daily. If
you have questions, want to learn more about our services or just want to chat
security please give us a shout. If you’re looking to guest blog, please send
an email here.